Facebook has been having a bittersweet last few days. Earlier this week, the company opened up their policy to facilitate transparency between posts suggested to users, allowed them to see why they were targeted for ads and the option to opt out of them. Before that, however, Facebook made a big mistake of storing user passwords in a readable format for all company employees to see. Their latest blunder is something that just defies all imagination.
If you thought Facebook was taking your security seriously, you might think they are overdoing it with their latest blunder.
Twitter user OriginalSushi (e-sushi) chronicles their troubling ordeal with Facebook which forced them to enter their password for the attached email address … on Facebook.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
If you have been playing online games or been on the internet long enough, you’d know the cardinal rule of the internet and passwords. Never enter your credentials on another site unless you know its secure.
While Facebook can be called a ‘secure’ platform, they still have no right to ask for the password for an email account attached to the relevant Facebook account.
The last few days, e-sushi has put out a steady stream of tweets where they have to surrender their password if its an unknown email host and futile efforts of circumventing it.
e-sushi further shared how to replicate the issue. This is a prompt you’d be likely to see if you were using an email address that isn’t well known to Facebook.
#request: Pls try to replicate it. Visit the front page of Facebook, fill the sign up form with a burner email not known to FB, and register. Chances are you'll hit the same verification screen. If you do, confirm here in a reply. The more confirmation we get on this, the better.
— e-sushi (@originalesushi) April 1, 2019
Many users have said that this is a measure taken to deter users from making fake burner accounts using temporary email addresses like 10minutemail, but this also equally effects users like e-sushi’s email address.
We all know Facebook has an issue with fake accounts used for a variety of reasons, so while we have to commend the social media giant taking the issue of fake profiles so seriously, it still isn’t right to ask for the password of an unrelated account which Facebook has no right to have access to.
Facebook has since resolved the issue and issued a statement for it.
#Facebook: “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
Guess that's a #MissionComplete. 😏
Stay safe y'all and remember to never share your secrets with any 3rd party… ever.https://t.co/u0b7bCcuej
— e-sushi (@originalesushi) April 3, 2019
This is once again a reminder of how you should always be vigilant of any site asking for information that is irrelevant to them. Facebook handles suspicious or fake profiles by asking them to upload government provided documents to unlock frozen accounts, but this method of reducing fake accounts is just crossing a line.
Areen Zahra
Amnah Fawad
